CVE-2025-58609: 
WordPress vulnerability analysis and mitigation

A stored Cross-Site Scripting (XSS) vulnerability was discovered in the Latest Post Shortcode WordPress plugin developed by Iulia Cazan. The vulnerability affects versions through 14.0.3 and was disclosed on September 3, 2025. The issue has been assigned CVE-2025-58609 and received a CVSS v3.1 base score of 6.5 (Medium) (Patchstack).

The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation. It requires low privileges and user interaction to exploit. The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L, indicating network attack vector, low attack complexity, low privileges required, and user interaction required (NVD).

If successfully exploited, this vulnerability could allow an attacker to inject malicious scripts into the website. These scripts could be executed when visitors access the affected pages, potentially leading to theft of sensitive information, session hijacking, or other malicious activities (Patchstack).

The vulnerability has been fixed in version 14.10 of the Latest Post Shortcode plugin. Users are advised to update to this version or later to remove the vulnerability (Patchstack).